How did Android fare in the November Security Bulletin? It may come as no surprise to learn that our old friend the Mediaserver has returned with a critical vulnerability. We also see some new entries in the mix. Let’s dive in and see what’s what.

SEE: Gooligan Android malware grabs a million Google accounts in huge Google Play fraud (ZDNet)

Check your security release

Before we highlight what’s included with the November 2016 Android Security Bulletin, it’s always good to know what security release your device has installed.

Of the Android devices I use regularly, the Verizon-branded Nexus 6 running Android 7.0 is one update behind, with the October 2016 security update, and the OnePlus 3 running Android 6.0.1 is still stuck on the September 2016 security update. Nexus devices, as well as the new Pixel phones, will always be ahead of the curve for the security patches, and the OnePlus 3 has been discontinued so updates may be much slower to arrive.

To find out which security release is installed on your device, open Settings, scroll down and tap About Phone, and then look for Android Security Patch Level (Figure A). If you see an older security patch level, fret not…a new one will appear in an update soon.

Figure A

With that said, let’s dive into what’s new for November.

Critical issues

Remote code execution vulnerability in Mediaserver

And there it is…the Mediaserver is back in the spotlight. As with nearly every previous Mediaserver vulnerability, this issue could enable an attacker to use a specially crafted file in order to cause memory corruption during media file and data processing. Because of the possibility of remote code execution within the context of the Mediaserver process, this vulnerability is rated as Critical.

Related bug: A-31373622

Elevation of privilege vulnerability in libzipfile

This vulnerability affects libzipfile, and it could enable a local malicious application to execute arbitrary code within the context of a privileged process. If a device is compromised by this vulnerability, a reflashing of the operating system may be required.

Related bug: A-30916186

High issues

The number of vulnerabilities rated as High increased for the month of November. The following issues are included in this list.

Remote code execution vulnerability in Skia

Skia serves as the graphics engine for Android. A remote code execution vulnerability has been discovered that could enable an attacker to use a malicious file to cause memory corruption during media file processing. Due to the possibility of remote code execution within the context of the gallery process, this issue is rated as High.

Related bug: A-30190637

Remote code execution vulnerability in libjpeg

Another issue found in the graphics processing is that libskia suffers from a vulnerability that makes use of libjpeg and could enable an attacker to use a specially crafted file to execute arbitrary code in the context of an unprivileged process. Due to the possibility of remote code execution, this issue is rated as High.

Related bug: A-30259087

Remote code execution vulnerability in Android runtime

The Android runtime library suffers from a vulnerability that could enable an attacker using a malicious payload to execute arbitrary code in the context of an unprivileged process. Due to the possibility of remote code execution within an application that uses the Android runtime, this vulnerability is rated as High.

Related bug: A-30765246

Elevation of privilege vulnerability in Mediaserver

The Mediaserver is back again with a few bugs (each rated as High) that can cause an unwanted elevation of privilege. These bugs depend upon a locally installed malicious application that can execute arbitrary code within the context of a privileged process. Due to the chance of gaining local access to elevated capabilities (which are not normally accessible to third-party applications), this issue is rated as High.

Related bugs: A-30229821, A-30229821(2), A-30229821(3), A-30907212, A-30907212(2), A-31385713

Elevation of privilege vulnerability in System Server

The System UI has been found to contain a vulnerability that could enable a malicious user to bypass the security prompt; this can only happen in a work profile when using Android in Multi-Window mode. Because of the possibility of a local bypass of user-interaction requirements for any developer or security setting, this vulnerability is rated as High.

Related bug: A-30693465

Information disclosure vulnerability in download manager

The download manager has been found to be vulnerable in such a way that could enable a local malicious application to bypass protections that isolate data from one application to another. Due to the ability of this issue to gain access to data that an application shouldn’t, this issue has been rated as High.

Related bugs: A-30537115, A-30537115(2)

Moderate issues

Elevation of privilege vulnerability in Framework APIs

The Android Framework APIs have been found to contain a vulnerability that could allow a malicious application to record audio without the user’s permissions. Due to this issue being able to bypass user interaction requirements, this vulnerability is rated as Moderate.

Related bug: A-29833954

Elevation of privilege vulnerability in Account Manager Service

Sensitive information could be retrieved, without user interaction, thanks to a vulnerability found in the Account Manager Service. Due to the ability of this vulnerability to bypass user interaction requirements, this issue is rated as Moderate.

Related bug: A-30455516

Upgrade and update

The developers will work diligently to patch the vulnerabilities, but it is up to the end user to make sure the fixes find their way to devices. Make sure you not only check for updates, but apply them as soon as they are available.

To see the full listing of vulnerabilities, check out the Android November Security Bulletin.